HPSM Secure assignment groups - hide assigned tickets from any user who is not a member of the group

Hi Experts,

Kindly provide me some idea to develop the below requirement.

Requirement :  

As a Business Application Owner, I want to be able to configure specific assignment groups so that any ticket assigned to that group is only visible to members of that group, so that organizational units with increased confidentiality requirements may use Service Manager to handle their tickets without exposing confidential data to non-authorized users.

Thanks in advance,



  • Service Manager has a concept of Mandants/Folders.  It segregates the application so that it becomes multi-tenant, where one group of users won't be able to interact with another group of users' transactional data.

  • There are multiple existing topics about Mandanten. 



    For this scenario, there are several options:

    • Configure mandanten groups which exclude records for each controlled access assignment group. Note that depending on the number of groups which must be restricted, it may be simpler to create a separate exclusion group for each of those assignment groups.
    • Based on the operator's assignment group membership, assign the mandant groups to exclude those records to which the user should not have access. 
    • Alternatively, configure mandant restricting queries and call those. 

    Note that the biggest challenge will be maintaining the operator-level mandanten filters (Security Groups array) as assignment group membership changes. I have automated that in the past by using format control to automatically assign mandanten based on a user's assignment group membership. 

    You could also investigate using a calculated list of assignment groups to exclude is generated by login.DEFAULT.  This would simplify maintenance:

    In login detault you could build the array as follows in calculations:

    Calc Condition: true
    Calc:     $lo.restrictAccessList = {}
    Calc Condition: index("assignmentGroupName1", $lo.pm.assignments)=0
    Calc: $lo.restrictAccessList = lo.restrictAccessList   {"assignmentGroupName1"}
    Calc Condition: index("assignmentGroupName2", $lo.pm.assignments)=0
    Calc: $lo.restrictAccessList = lo.restrictAccessList   {"assignmentGroupName2"}
    Calc Condition: index("assignmentGroupName3", $lo.pm.assignments)=0
    Calc: $lo.restrictAccessList = lo.restrictAccessList   {"assignmentGroupName3"}

    Thenm use the result in your mandant restricting query:

    not assignment isin $lo.restrictAccessList

    Note: I haven't tested any of this, it's just a concept. You would need to build and test thoroughly in your DEV environment.